Educause Security Professionals Conference

Network Access Control through Quarantine, Remediation, and

Verification

Jonny SweenyIncident Response Manager

Office of the VP for ITIndiana University

5 May 2008

Copyright 2008, The Trustees of Indiana University. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Overview

• IU’s Get Connected– Computers new to the network

• Blocking `bad` systems– Communication

– Restoring access

Get Connected Stats• 7,641 computers connected in 14 days

• Currently only required in Residence Halls on Windows wired connections

• 81% are laptops

Other reasons to restrict network access

• Compromised systems– detected by sensors

• Port scanning, high mailers, etc.

– Detected by logs• DNS botted, spyware, etc.• Webmail compromised credentials

• Copyright Infringement

Blocking Options

• MAC Address• VPN• Dialup• 802.1x• Static IP null-route• Switch-port

Communication

• User needs to know why machine is blocked– Sending an email to the user is not

sufficient, however CC-ing their support provider helps

– Redirecting to a self-service site is ideal.

– Dynamically-assigned VLANs.

User receivesnotification email

Jonny,

Network reports indicate that the computer listed below has beencompromised. It appears a bot has taken over the system. A "bot,"or "robot," is a program that is installed by an intruder, so thatthe machine takes actions automatically, as programmed by theintruder and at times specified by the intruder who put the bot there.

Date (Timezone=UTC) Type IP Address Remote IP Address------------------- ---- --------------- ---------------2008-03-12 02:57:12 vpn 156.56.175.226 76.252.188.1 2008-04-01 14:01:31 dhcp 156.56.18.118 00:06:5b:17:17:xx iu-itpo-iceland

*** Network access for this user or computer is being blocked to ****** protect the University network from this threat. ***

If your machine is not running a Windows operating system, pleaseconsult with the Support Center on how to rebuild for your operatingsystem.

To recover from this compromise it is necessary to completely rebuildthe computer. When a computer is compromised in this manner, anythingon the system can be modified and/or monitored by someone else.

When you are finished and wish to have network access restored,please reply back to this message, leaving the subject line intact,and outline specifically what actions you took. You must take allactions listed in order for us to restore access.

Help with these steps can be obtained from the KB article titled "InWindows, how do I rebuild my computer after a system-levelcompromise" available at [http://kb.iu.edu/data/anbp.html ].

1. Remove the computer from the network by removing the network cable from the computer, or by turning off the wireless or dialup connection. Do not reconnect the computer until all steps have been completed, or you run the risk of being compromised again.

2. Backup your personal files. If you do not take this step, you will lose all of your data when you perform step #3.

3. Perform a New Install of Windows XP or Vista. Make sure you use a new password for the Administrator account when setting up Windows. When you reboot the machine, you should allow automatic updates when prompted, which is the recommended action.

4. Install anti-virus software. Symantec AntiVirus is available on the IUware CD, and is configured to update virus patterns daily. If you do not use Symantec AntiVirus, make sure your software is configured to update daily.

If you have any questions about these instructions, need helpobtaining the IUware CD, or Windows XP/Vista, or wouldlike assistance with the process, please consult with your LocalSupport Provider (LSP). If you do not have an LSP, please call theUITS Support Center at 855-6789 (IUB) or 274-4357 (IUPUI). Email:ithelp@iu.edu

DO NOT CALL OR EMAIL US TO OBTAIN SUPPORT WE ARE NOT A SUPPORTUNIT. Please contact the Support Center for assistance. Only email uswhen you have completed these steps and are ready to get back on thenetwork.

Thank you for your immediate attention to this important matter.Please remember in your reply to outline *each* step you took. Simplyreplying with "I have completed all steps" is not enough.

Regards,

-- Jonny SweenyIT Incident Response ManagerIT Policy OfficeOffice of the VP for ITIndiana University

Incident Number: 85594

Self-service unblock

Self-service is great…but

• Need to prevent abuse of trust– Track instances of repeat-offenders

and treat them differently– Require tutorial & quiz– Delete registration so Get Connected

is required again

DMCA Quiz

Random comments about automation

• Good relationships with network staff translates to access to tools.– Null-route– MacMon– Arpfind– Router Configs– Syslogs– Dialup, VPN blocks– etc.

Random comments about automation

• Access to tools allows automation:– Block scanners, phishers, brute-

forcers, etc.• Blocking remainder of leases

Automate Response – IR Web Service

Identify user

User is blocked and notified

Final Thoughts• 802.1x rolling out now

– 2,700 WAPs by fall• Dean of Students NAC

– Third copyright violation results in permanent ban from attaching personal device to University network

Questions

Jonny Sweenyjsweeny@iu.edu